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The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )S Responsive to communication(s) filed on 24 March 2004 . 
2a)Q This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-31 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) ^3 Claim(s) 1-31 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)^ The drawing(s) filed on 24 March 2004 is/are: a)K accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)Q Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2.D Certified copies of the priority documents have been received in Application No. . 



3-D Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 



1. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 24 
March 2004 has been entered. 

2. Claims 1 , 7, 13, 18, 22, and 26 have been amended in response to the second 
office action. Claims 1-31 have been examined. 



3. The drawings were received on 24 March 2004. These drawings are acceptable. 



The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 



Drawings 



Claim Rejections - 35 USC §112 
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4. Claims 1-31 are rejected under 35 U.S.C. 112, first paragraph, because the 
specification, while being enabling for determining an attack pattern in general, does not 
reasonably provide enablement for determining whether an attack pattern is a 
disclosure attack, integrity attack, and/or a denial of service attack. The specification 
does not enable any person skilled in the art to which it pertains, or with which it is most 
nearly connected, to use the invention commensurate in scope with these claims. For 
purposes of the prior art search, it is being presumed that any disclosure of checking a 
URL for one of the specified attacks is sufficient. 

Regarding claims 1,7, 13, 18, 22, and 26, although the specification does supply 
a description of each of these types of attacks, there is no disclosure as to how 
particular patterns would be usable for making the determination that a pattern, in fact, 
conformed to any one of these specific types of attacks. 

All other claims depend from the rejected claims, and include all the limitations of 
those claims, thereby rendering those dependent claims as not enabling. 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention, 

5. Claims 1-17 and 22-31 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. 

Regarding claims 1, 7, 13, 22, and 26, the term "...content that is designed to 
constitute..." renders the claims indefinite because its makes it unclear as to whether 
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the content must actually be one of the enumerated types of attack patterns. For 
purposes of the prior art search, it is being presumed that the pattern being search for is 
in fact one of the listed types of patterns. 

Claims 2-6, 8-12, 14-17, 23-25, and 27-31 depend from rejected claims 1, 7, 13, 
22, and 26 and include all the limitations of those claims, thereby rendering those 
dependent claims indefinite. 

Claim Rejections - 35 USC § 103 

6. Claims 1 -1 1 and 1 3-30 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over U.S. Patent No. 5,884,033 to Duvall et al. in view of US. Patent No. 
6,421,781 to Fox et al. 

Regarding claims 1, 2, 6, and 18, Duvall defines a plurality of unwanted input 
strings to be filtered (see column 3, line 64 to column 4, line 1 1 ), a search pattern that 
permits variability, can search a portion of the string, and has wildcard characters (see 
column 6, lines 28-42), receives an input string on a web server (see column 8, lines 18- 
27), evaluates the strings, and takes remedial action if necessary, including denying the 
request (see column 6, line 60 to column 7, line 13). 

Duvall only discloses the use of the invention for the filtering of URL's that are 
related to material that is objectionable, depending upon the user's tastes and 
sensitivities (see column 2, lines 12-20). The filtering of attacks on a system, such as a 
disclosure attack, integrity attack, or a denial of service attack, is not disclosed. 
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Fox discloses the parsing and checking of an incoming URL against a list of 
acceptable domains and variations thereof, and notes that this protects against denial- 
of-service attacks (see column 1 1 , line 15 to column 14, line 4). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to use the invention of Duvall by checking a URL against 
domain names, as disclosed by Fox, in order to protect against abusive denial-of- 
service attacks. 

As per claims 3 and 19, the patterns described in Duvall (see column 6, lines 35- 
42) constitute a regular expression. 

As per claims 4 and 20, Duvall discloses that the input string may be a URL (see 
column 5, lines 66-67). 

As per claims 5 and 21 , Duvall discloses that the input string may be an HTTP 
verb request, such as a GET request (see column 6, lines 19-25). 

As per claims 7-10,1 3-1 6, 26, 27, 29, and 30, Duvall discloses that the search 
patterns may be stored in RAM (see column 3, lines 45-49). 

As per claim 1 1 , Duvall discloses that the product may be patched onto an 
application that is already running (see column 9, line 14 to column 1 1 , line 20). 

As per claims 17 and 22-25, the program is stored in a public directory (on a 
disk) before being installed (see column 10, lines 64-66). 

As per claim 28, the list of patterns may be edited (see column 8, lines 1-9). 
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7. Claims 12 and 31 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over U.S. Patent No. 5,884,033 to Duvall et al. in view of US. Patent No. 6,421,781 to 
Fox et al. as applied to claims 7 and 26 above, and further in view of Oliver et al., 
"Building a Windows NT 4 Internet Server", 1996, p. 203. 

The system disclosed in Duvall may be implemented on a server and that it uses 
an API (see column 10, lines 59-63), but Duvall and Fox do not specifically disclose that 
it uses ISAPI. 

Oliver states that ISAPI (which stands for Internet Server API), which is an API 
native to the Microsoft® Internet Information Server, allows programmers to create 
server applications that take advantage of the web server and is tightly linked to the 
operating system. 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to implement the system of Duvall and Fox by using a 
reliable and well-supported API such as the Microsoft® ISAPI, as disclosed in Oliver, 
when implementing the system disclosed by Duvall and Fox on a Windows NT server. 

Response to Arguments 

8. Applicant's arguments, see Paper No. 9, filed 24 March 2004, with respect to the 
rejections of claims 1-31 under 35 U.S.C. 102 and 35 U.S.C. 103 have been fully 
considered and are persuasive in view of Applicant's amendments to the claims. 
Therefore, the rejection has been withdrawn; it is noted, however, that the content of the 
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amendments has also caused new grounds of rejection under 35 U.S.C. 112, as stated 
above. Upon further consideration, new grounds of rejection are made in view of U.S. 
Patent No. 5,884,033 to Duvall et al. in view of US. Patent No. 6,421,781 to Fox et al. 
further in view of Oliver et al., "Building a Windows NT 4 Internet Server", 1996, p. 203. 

Regarding Applicant's argument that Duvall does not anticipate the use of RAM 
(see Paper No. 9, p. 16, lines 1-10), it is noted that the location of the relevant material 
in Duvall that was cited in the previous office actions, column 4, lines 45-49, was in 
error. The correct location is column 3, lines 45-49. The Applicant is thanked for pointing 
out the error, and a correction has been incorporated into the new grounds of rejection, 
above. 

Conclusion 

9. The prior art made of record and not relied upon is considered pertinent to 
applicants disclosure. 

U.S. Patent No. 6,442,696 to Wray et al. discloses the use of pseudo-URL's to 
prevent various kinds of attacks. 

U.S. Patent No. 6,678,733 to Brown et al. discloses the use of a proxy to protect 
against URL attacks. 

Berners-Lee et al., RFC 2396, "Uniform Resource Identifiers (URI) : Generic 
Syntax," 1998, discloses various URL parsing issues and security considerations. 
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1 0. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Matthew E. Heneghan, whose telephone number is 
(703) 305-7727. The examiner can normally be reached on Monday-Thursday from 
8:00 AM - 4:00 PM Eastern Time. The examiner can also be reached on alternate 
Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse, can be reached on (703) 308-4789. 

Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
P.O. Box 1450 
Alexandria, VA 22313-1450 
Or faxed to: 

(703) 872-9306 

Hand-delivered responses should be brought to Crystal Park 2, 2121 Crystal 
Drive, Arlington, VA 22202, Fourth Floor (Receptionist). 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 
3900. 



MEH 





^ GREGORY MORSE 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



April 30, 2004 



